b'    January 27, 2005\n\n\n\n\nInformation Technology\n Management\nManagement of Information\nTechnology Resources Within DoD\n(D-2005-029)\n\n\n\n\n               Department of Defense\n           Office of the Inspector General\n Quality               Integrity       Accountability\n\x0c  Additional Copies\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit, Audit Followup and Technical\n  Support at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                   ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                   Inspector General of the Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nBMMP                  Business Management Modernization Program\nDITPR                 DoD Information Technology Portfolio Repository\nEA                    Enterprise Architecture\nFISMA                 Federal Information Technology Security Management Act\nFMFIA                 Federal Managers Financial Integrity Act\nGAO                   Government Accountability Office\nGIG                   Global Information Grid\nIG DoD                Inspector General Department of Defense\nIT                    Information Technology\nITMA                  Information Technology Management Application.\nMID                   Management Initiative Decision\nOMB                   Office of Management and Budget\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2005-029                                                  January 27, 2005\n  (Project No. D2004AL-0139)\n\n            Management of Information Technology Resources\n                             Within DoD\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Officials responsible for management of\nDoD information technology and officials responsible for the acquisition and\nmanagement of information systems should read this report. The report discusses the\nneed to establish an inventory of DoD information systems and build a consistent\ngovernance structure for information technology that will enhance management of DoD\ninformation resources and allow DoD to respond accurately to information requests from\nCongress and the Office of Management and Budget.\n\nBackground. The E-Government Act of 2002, Public Law 107-347, title III, \xe2\x80\x9cFederal\nInformation Security Management Act,\xe2\x80\x9d requires Federal agencies to develop, document,\nand implement an agencywide information security program and report annually to\nOffice of Management and Budget and Congress on the adequacy and effectiveness of\ninformation security policies, procedures, and practices. The Federal Information\nSecurity Management Act also requires that each agency develop and maintain an\ninventory of its major information systems.\n\nThe Office of Management and Budget Memorandum M-04-25, \xe2\x80\x9cFY 2004 Reporting\nInstructions for the Federal Information Security Management Act,\xe2\x80\x9d August 23, 2004,\nasks agencies about their inventory of major information systems and states that agencies\nmust provide a quarterly update to the Office of Management and Budget on agency\ninformation technology security performance measures. The quarterly reports will allow\nthe Office of Management and Budget to assess the security status of information\ntechnology for each agency. Office of Management and Budget Circular A-130,\n\xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d November 28, 2000, establishes policy\nfor information resource management and requires agencies to use a capital planning and\ninvestment control process that includes use of information technology portfolios.\nFinally, Office of Management and Budget Circular A-123 \xe2\x80\x9cManagement Accountability\nand Control,\xe2\x80\x9d June 21, 1995, requires agencies to report annually on management control\nweaknesses.\n\nResults. To align information technology investments with mission needs and achieve\neffective portfolio management, DoD officials should establish a definition for an\ninformation system and use it to develop and maintain an enterprisewide inventory of\ninformation systems; report the lack of an accurate or complete inventory as a material\nmanagement control weakness; institutionalize the policy on information technology\nportfolio management stated in the Deputy Secretary of Defense memorandum of\nMarch 22, 2004, and issue a Management Initiative Decision on governance and\nmanagement of information technology portfolios. These steps will allow DoD to better\nprepare and more accurately respond to Office of Management and Budget and\n\x0ccongressional inquiries, report on expenditures and planned investments, and identify,\nselect, and control investments through the capital planning and investment control\nprocess. Finally, the steps will help ensure the integrity of information and reduce the\nrisk of compromise to information technology investments. See the Finding section of\nthe report for the detailed recommendations.\n\nManagement Comments. We provided a draft of this report on December 20, 2004.\nNo management comments were received. Therefore, we request that the Under\nSecretary of Defense (Comptroller)/Chief Financial Officer and the Assistant Secretary\nof Defense for Networks and Information Integration/Chief Information Officer comment\non this final report by February 28, 2005.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                          i\n\nBackground                                                                1\n\nObjectives                                                                3\n\nFinding\n     Transforming the DoD Management Approach to Information Technology    4\n\nAppendixes\n     A. Scope and Methodology                                             13\n          Management Control Program Review                               13\n     B. Prior Coverage                                                    15\n     C Legislation for Management of Federal Information Resources        17\n     D. DoD Information Systems\xe2\x80\x99 Databases                                18\n     E. Report Distribution                                               19\n\x0cBackground\n           Federal Information Security Management Act. The E-Government Act of\n           2002, Public Law 107-347, title III, Federal Information Security Management\n           Act (FISMA), requires Federal agencies to develop, document, and implement an\n           agencywide information security program and report annually to the Office of\n           Management and Budget (OMB) and the Congress on the adequacy and\n           effectiveness of information security policies, procedures, and practices.\n\n           FISMA requires that each agency develop and maintain an inventory of its major\n           information systems to support information resource management (resource\n           management). Resource management is the way in which an agency manages its\n           information resources, including information and related resources such as\n           personnel, equipment, funds, and information technology (IT), to achieve the\n           agency\xe2\x80\x99s mission. FISMA also cites specific resource management actions in\n           existing legislation that include:\n\n                    \xe2\x80\xa2   inventorying information resources,\n\n                    \xe2\x80\xa2   planning, budgeting, acquiring, and managing IT, and\n\n                    \xe2\x80\xa2   monitoring, testing, and evaluating information security controls.\n\n           Appendix C provides details on existing resource management legislation cited by\n           FISMA.\n\n           OMB FISMA Reporting Instructions. OMB Memorandum M-04-25 \xe2\x80\x9cFY 2004\n           Reporting Instructions for the Federal Information Security Management Act,\xe2\x80\x9d\n           August 23, 2004, provides agencies with updated instructions for FY 2004\n           reporting requirements. The instructions include questions that each agency must\n           answer in areas such as performance measures for IT security and inventory of\n           major information systems. The instructions state that OMB expects agencies to\n           have an inventory of major information systems and that agencies must provide\n           OMB with quarterly updates on their IT security performance measures for OMB\n           to use to assess the status of agency IT security. In addition, agencies must report\n           IT security weaknesses in the agency FISMA Report. Significant deficiencies1\n           must also be reported as material weaknesses under the Federal Manager\xe2\x80\x99s\n           Financial Integrity Act (FMFIA).\n\n           OMB Guidance on the Management of Federal Information Resources.\n           OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d\n           November 28, 2000, establishes policy for managing information resources.\n           Circular A-130 requires agencies to create an enterprise architecture (EA), use a\n           capital planning and investment control process, and maintain an inventory of\n           major information systems.\n\n1\n    A significant deficiency is a weakness in the agency overall information systems security or management\n    control structure that significantly restricts the ability of the agency to carry out its mission or\n    compromises the security of its information systems or other resources, operations, or assets.\n\n\n\n                                                      1\n\x0c        EA Defined. The EA is the description and documentation of the current\nand desired relationships among business and management processes and IT,\nincluding a description of the current and target architectures. The agency capital\nplanning and investment control process builds from the current architecture to\ntransition into the target architecture. The EA must be supported with a complete\ninventory of agency information resources and must include appropriate\ninformation security controls.\n\n        Capital Planning and Investment Control Process. OMB guidance\ndefines the capital planning and investment control process as an ongoing\nidentification, selection, control, and evaluation of investments for information\nresources. The process includes establishing security controls, a portfolio of\nmajor information systems, and an IT Capital Plan. A portfolio consists of\nselected IT investments that are managed to prevent redundancy of existing or\nshared IT capabilities. The IT Capital Plan is the implementation plan for the\nbudget year.\n\n       Major Information System. Circular A-130 defines a major information\nsystem as one that requires special management attention because of its\nimportance to the agency mission; its high development, operating, or\nmaintenance costs; or its importance in the administration of agency programs,\nfinances, property, or other resources.\n\nGlobal Information Grid (GIG) Overarching Policy. DoD Directive 8100.1,\n\xe2\x80\x9cGlobal Information Grid (GIG) Overarching Policy,\xe2\x80\x9d September 19, 2002,\nprovides policy and assigns responsibilities for the GIG architecture and\nconfiguration management. The GIG architecture is the globally interconnected,\nend-to-end set of information capabilities, associated processes, and personnel for\ncollecting, processing, storing, disseminating, and managing information on\ndemand to war fighters, policy makers, and support personnel. The GIG supports\nall DoD missions with IT assets. Directive 8100.1 requires the establishment and\nmaintenance of an enterprisewide inventory of GIG assets and designates the GIG\narchitecture as the IT architecture required by the Clinger-Cohen Act of 1996.\nDoD Component heads are required to populate and maintain their portion of the\nGIG asset inventory and ensure that their architectures are consistent with the\nGIG architecture.\n\nFMFIA Reporting Guidance. OMB has issued a circular and a memorandum\nthat addresses FMFIA reporting.\n\n       OMB Circular A-123. OMB Circular A-123, \xe2\x80\x9cManagement\nAccountability and Control,\xe2\x80\x9d June 21, 1995, was issued under the authority of the\nFMFIA of 1982. Circular A-123 requires agencies to establish, assess, correct,\nand report on management controls. In addition, Circular A-123 defines material\nweaknesses as those management control deficiencies that the agency head\ndetermines to be significant enough to report outside the agency. Further,\nCircular A-123 requires agencies to develop corrective action plans for all\nmaterial weaknesses, and assess and report progress against those plans\nperiodically. Each agency must report annually material weaknesses in\nmanagement controls to the President and Congress.\n\n\n\n                                     2\n\x0c            OMB Memorandum. OMB memorandum \xe2\x80\x9cFY 2004 Performance and\n    Accountability Reports and Reporting Requirements for the Financial Report of\n    the United States Government,\xe2\x80\x9d July 22, 2004, provides guidance on preparation\n    and submission of agency Performance and Accountability Reports. The OMB\n    memo indicated that preparation of the Performance and Accountability Report\n    satisfies agency reporting requirements for the FMFIA of 1982. The Performance\n    and Accountability Reports are submitted to OMB and Congress.\n\n    DoD Portfolio Management Policy. Deputy Secretary of Defense\n    memorandum, \xe2\x80\x9cInformation Technology Portfolio Management,\xe2\x80\x9d\n    March 22, 2004, establishes DoD policy and assigns responsibilities for managing\n    IT investments as portfolios. The Clinger-Cohen Act of 1996 mandates the use of\n    a capital planning and investment control process for IT acquisition, and OMB\n    Circular A-130 mandates that the capital planning and investment control process\n    include portfolio management. The Deputy Secretary of Defense assigned the\n    DoD Chief Information Officer with the responsibility to institutionalize the\n    policy within 180 days to become part of the DoD Directive system. DoD\n    Directives transmit information to all DoD Components on how to initiate,\n    govern, or regulate actions.\n\n    Management Initiative Decision. A Management Initiative Decision (MID)\n    document is designed to institutionalize management reform decisions. A draft\n    MID pertaining to IT portfolio governance in the spring of 2004 sought to\n    establish a framework for managing IT investments as portfolios. Governance is\n    a single, integrated, hierarchical structure with enterprisewide standards and\n    oversight of IT transformation within DoD. The oversight process describes how\n    and by whom the transformation will be implemented within the DoD.\n\n\nObjectives\n    The objective of the audit was to assess the DoD implementation of title III,\n    section 301 \xe2\x80\x9cFederal Information Security Management Act of 2002,\xe2\x80\x9d Public\n    Law107-347. Specifically, we determined whether adequate processes and\n    controls were in place to develop and report on the status of DoD IT systems. See\n    Appendix A for a discussion of the scope and methodology and the review of the\n    management control program. See Appendix B for prior coverage related to the\n    objectives.\n\n\n\n\n                                        3\n\x0c                   Transforming the DoD Management\n                   Approach to Information Technology\n                   To align information technology investments with mission needs and\n                   achieve effective portfolio management, DoD officials must take the\n                   following steps:\n\n                   \xe2\x80\xa2   Establish a definition for an information system and use it to develop\n                       and maintain an enterprisewide GIG inventory of information systems,\n\n                   \xe2\x80\xa2   report the lack of an accurate or complete DoD inventory of GIG\n                       systems as a material management control weakness to OMB and\n                       Congress,\n\n                   \xe2\x80\xa2   institutionalize the policy on IT portfolio management stated in the\n                       Deputy Secretary of Defense memorandum, March 22, 2004, which\n                       requires IT investments to be managed as portfolios and integrated\n                       into the GIG architecture, and\n\n                   \xe2\x80\xa2   issue a MID on the governance and management of IT portfolios that\n                       allows top-level officials to oversee and approve new or improvements\n                       to existing information systems.\n\n                   These steps will allow DoD to better prepare and more accurately respond\n                   to the OMB and congressional inquiries on the status of DoD information\n                   systems, to report on DoD expenditure and planned investments, and\n                   identify, select, and control investments through the capital planning and\n                   investment control process. The steps will also help ensure the integrity\n                   of information provided to DoD officials and reduce the risk of\n                   compromise to IT investments. They will set into motion the management\n                   process for information systems that aligns the DoD EA with the\n                   management structure for IT systems that was envisioned by the OMB and\n                   the Congress.\n\n\nDatabases for DoD Information Systems\n           DoD developed and maintains four enterprise-level databases: the Information\n           Technology Management Application (ITMA); the IT Registry; the Business\n           Management Modernization Program (BMMP)2; and the DoD Information\n           Technology Portfolio Repository (DITPR). Each database uses different criteria\n           for collecting data about information systems to serve different purposes. See\n           Appendix D for a description of each DoD database. The Government\n\n\n2\n    The DoD BMMP is an effort to transform and modernize DoD business and financial processes and\n    systems. DoD prepared an information system inventory to support the BMMP. We refer to the\n    inventory as the BMMP database. See Appendix D for additional information.\n\n\n\n                                                    4\n\x0cAccountability Office (GAO) and the Inspector General, Department of Defense\n(IG DoD) reviewed three of the databases which provided insight into their\ncontent and structure.\n\nInsight into the Databases. The GAO conducted a review to identify FY 2004\nestimated funding for DoD business systems and to determine whether DoD has\neffective control and accountability over its business system investments. The\nGAO Report No. 04-615, \xe2\x80\x9cDoD Business Systems Modernization: Billions\nContinue to Be Invested with Inadequate Management Oversight and\nAccountability,\xe2\x80\x9d May 27, 2004, provided vital information about the content of\nthe ITMA, IT Registry, and BMMP. The report indicated that:\n\n       \xe2\x80\xa2   The ITMA database is used to collect system information to develop\n           the DoD annual IT budget request, but it includes initiatives and\n           programs that are not IT systems.\n\n       \xe2\x80\xa2   The IT Registry database used the terms mission critical and mission\n           essential to identify information systems, but allowed each DoD\n           Component to determine whether a system should be reported as\n           mission critical or mission essential. This self-reporting practice\n           would not necessarily capture the universe of business systems.\n\n       \xe2\x80\xa2   The BMMP database included systems related to DoD business\n           operations; however, DoD did not develop a standard definition of a\n           business system.\n\n       \xe2\x80\xa2   The ITMA, IT Registry, and BMMP system inventory databases\n           contain varying information that overlaps.\n\n       \xe2\x80\xa2   DoD was attempting to reconcile the three databases.\n\nOne of the GAO report\xe2\x80\x99s recommendations was that the Secretary of Defense\ndirect the Under Secretary of Defense (Comptroller) and the Assistant Secretary\nof Defense for Networks and Information Integration to develop a standard\ndefinition for DoD Components to use in identifying business systems. The DoD\nresponse to the GAO report referenced the definition articulated in the Chief\nInformation Officer\xe2\x80\x99s July 13, 2004, memo. That memo included a decision tree\nthat used the system definition in DoD Directive 8500.1 \xe2\x80\x9cInformation\nAssurance,\xe2\x80\x9d October 2002, as a foundation for defining a system and then\nprovided additional guidance and examples for clarification. The DoD Directive\ndefined a system as a set of information resources organized for the collection,\nstorage, processing, maintenance, use, sharing, dissemination, disposition,\ndisplay, or transmission of information. It includes automated information system\napplications, enclaves, outsourced IT-based processes, and platform IT\ninterconnections.\n\nThe Chief Information Officer\xe2\x80\x99s July 13, 2004, memo indicated that the definition\nand decision tree applied to all mission areas and domains and would be used to\npopulate a new database--the DITPR. All DoD systems meeting the definition\nwere to be entered into DITPR by January 2005. On October 20, 2004, the DoD\nChief Information Officer issued another memo requiring Components to provide\n\n\n                                    5\n\x0c           data on all business systems or families of systems3 with annual expenditures of\n           $1 million or more to DITPR by January 14, 2005. The October memo required\n           DoD Components to use the definition in DoD Directive 8500.1 as a foundation\n           for defining a system, but provided yet further guidance and clarification than was\n           used in the July 13, 2004 memo. The October memo stated that data on non-\n           business systems or families of systems may be provided, but was not required.\n           As a result, the October 20, 2004, memo reduced the scope of the original DITPR\n           data call for January 2005 from DoD systems in all mission areas and domains to\n           only business systems or families of systems. The July 13, 2004, memo and the\n           October 2004 memo both required that any systems added to DITPR that were not\n           already in the IT Registry must be added to the IT Registry.\n\n           The ITMA, IT Registry, and BMMP collected information for different purposes\n           about various systems; thus, they did not use a consistent definition of what\n           constitutes an information system. In addition, the three databases included\n           varying information that overlapped and were not reconciled to each other. The\n           ITMA collected system information for the DoD annual IT budget request, but it\n           also included initiatives and programs that were not IT systems. The IT Registry\n           defined its systems as mission critical and mission essential, but allowed each\n           DoD Component to decide what to report. The BMMP did not use a standard\n           definition for a business system.\n\n           The first step in building an inventory is to define an information system. The\n           definition used for DITPR and the decision tree outlined in the July 13, 2004,\n           memo will help DoD define the universe of business systems but not the entire\n           inventory of information systems. To assist DoD IT managers, DoD must decide\n           what to include in its information systems inventory to help frame the definition\n           of an information system. The structure established in the Chief Information\n           Officer\xe2\x80\x99s July 2004 and October 2004 memorandums is a start; however,\n           additional work is needed.\n\n           Reliability of DoD Databases. DoD included various information from multiple\n           sources, including data calls to DoD Components, in its databases of information\n           systems. The GAO or the IG DoD reviewed three of the databases and identified\n           conditions that affected the usefulness of the data.\n\n                  ITMA. DoD uses the ITMA database to generate information to prepare\n           budget-related submissions. GAO Report No. 04-615 reported that the ITMA\n           database also includes initiatives and programs that are not IT systems.\n\n                   IT Registry. The IT Registry includes DoD mission-critical and mission-\n           essential systems. DoD Components are responsible for populating the IT\n           Registry, updating and maintaining the information, and certifying the accuracy\n           and completeness of the data. According to December 2003 IT Registry\n           guidance, Components are to add all nonmission-critical and nonmission-essential\n           systems to the IT Registry by September 30, 2006. The IG DoD Report No. D-\n           2003-117, \xe2\x80\x9cSystems Inventory to Support the Business Enterprise Architecture,\xe2\x80\x9d\n           July 10, 2003, stated that the DoD IT Registry would not necessarily capture the\n\n3\n    A family of systems is a set of independent systems that can be arranged or interconnected in various\n    ways to provide different capabilities.\n\n\n\n                                                       6\n\x0cuniverse of business systems because IT Registry guidance did not require all\nbusiness management systems to be reported, and because system definitions in\nthe registry guidance are subject to interpretation. In addition, IG DoD Report\nNo. D-2003-008, \xe2\x80\x9cImplementation of the Government Information Security\nReform by the Defense Finance and Accounting Service for the Defense\nIntegrated Financial System,\xe2\x80\x9d October 7, 2002, stated that DoD did not require\nthe IT Registry software to include data integrity controls that would ensure the\naccuracy, completeness, and validity of information in the database.\n\n         BMMP. As of April 2003, DoD used multiple sources, including data\ncalls, to identify an inventory of 2,274 business systems. In July 2004, the Acting\nUnder Secretary of Defense (Comptroller) testified that DoD was establishing a\nprogressively more comprehensive business system inventory and had identified\nmore than 4,000 systems, with more systems likely to be identified in the future.\nIn GAO Report No. 04-615, GAO determined that DoD does not have an accurate\ninventory of its business systems because it lacks a central repository, a\nsystematic way to identify its business systems, and a standard definition of what\nconstitutes a business system. The report stated that the initial repository of 2,274\nDoD business systems is neither complete nor informative enough for use in\ndecision making.\n\nAlthough each database serves a different purpose, each experienced problems in\nthe ability to use the data to develop a complete and accurate inventory of DoD\ninformation systems resulting from problems with the content, accuracy, or\ncompleteness of the data. FISMA reporting instructions and guidance require the\nsecurity controls of information systems to be monitored, tested, and evaluated.\nOMB requires agencies to provide quarterly updates of their IT security\nperformance measures that will permit OMB to assess agency IT security status.\nDoD information systems must be protected to ensure an appropriate level of\nconfidentiality, integrity, availability, and accountability and to ensure that DoD\noperations and missions are not disrupted. Until a complete and accurate\ninventory is identified and verified, there is little assurance that DoD knows the\nstatus of its systems.\n\nDoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification\nand Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, creates the DoD\nprocess for security certification and accreditation of information systems. The\nobjective of the process is to establish a standard approach to protect and secure\nthe entities that comprise the Defense Information Infrastructure. Standardizing\nthe certification and accreditation process minimizes the risks associated with\nnonstandard security implementations across shared infrastructure and end\nsystems. To ensure that information systems are protected and subjected to the\ncertification and accreditation process, DoD must be aware of the existence of its\ninformation systems. Otherwise, there is no assurance that the DoD enterprise\nitself is adequately protected.\n\n\n\n\n                                      7\n\x0cMaterial Management Control Weakness\n    FMFIA Reporting for FY 2003. OMB Circular A-123, \xe2\x80\x9cManagement\n    Accountability and Control,\xe2\x80\x9d June 21, 1995, was issued under the authority of the\n    FMFIA of 1982 and requires agencies to report annually on management control\n    weaknesses. For FY 2003, DoD reported nine systemic weaknesses in the\n    FMFIA section of its Performance and Accountability Report. The weaknesses\n    identified that the DoD financial and business management systems and processes\n    were not fully integrated and did not provide reliable, timely, and accurate\n    information. In addition, DoD officials reported that they need to better manage\n    IT and need assurance that IT is adequately protected. DoD also reported a\n    weakness in the IT Capital Investment Process in that the process does not\n    confirm that the best investments are selected, deliver expected benefits, or\n    perform as expected.\n\n    Inventory of Major Information Systems. In answering OMB questions on the\n    information system inventory, DoD stated that it uses the DoD IT Registry to\n    maintain an inventory of DoD major information systems. However, past reviews\n    found that the IT Registry would not necessarily include all major systems and\n    was not integrated with other information system databases. As a result, DoD\n    cannot be assured that it has a complete inventory of major information systems.\n    This is a material management control weakness in DoD resource management\n    that DoD did not report as a component of the systemic weakness in IT\n    management and assurance under the FMFIA.\n\n    If DoD does not have a complete inventory of major information systems,\n    planning improvement or system replacement is difficult, answers to questions\n    from OMB or Congress on major information systems may not be accurate, and\n    information assurance is at risk because there is little assurance that all systems\n    are adequately protected. In addition, DoD cannot build an EA and initiate the\n    capital planning and investment control process. DoD must report the lack of an\n    inventory of major information systems as a component of the systemic weakness\n    in IT management and assurance in future DoD FMFIA reporting until DoD can\n    develop and manage a GIG information system inventory.\n\n\nPortfolio Management Process-Recent Events\n    DoD Portfolio Management Policy. The Deputy Secretary of Defense\n    memorandum, \xe2\x80\x9cInformation Technology Portfolio Management,\xe2\x80\x9d March 22,\n    2004, established DoD policy and assigned responsibilities for managing IT\n    investments as portfolios. Portfolio management is defined as the management of\n    selected groupings of IT investments using integrated architectures, measures of\n    performance, risk management techniques, transition plans, and portfolio\n    management strategies. The Clinger-Cohen Act of 1996 mandated the use of a\n    capital planning and investment control process for IT acquisition, and OMB\n    Circular A-130 mandated that the capital planning and investment control process\n    include portfolio management. The Deputy Secretary\xe2\x80\x99s memo stated that the\n    decisions on which investments to make, modify or terminate should be based on\n\n\n                                         8\n\x0cthe GIG integrated architecture, mission area goals, architecture, risk, potential\nreturn, and outcome goals and performance. The memo also stated that the\nportfolio management process should consist of the following core activities.\n\n       \xe2\x80\xa2   analysis that links mission area goals to DoD enterprise vision, goals,\n           and objectives and how those will be achieved and measured;\n           identifies gaps and opportunities; identifies risks and how they will be\n           mitigated; provides a continuous process improvement; and\n           determines strategic direction for mission area activities and processes,\n\n       \xe2\x80\xa2   selection that identifies the best mix of IT investments to achieve\n           outcome goals and plans and transition to \xe2\x80\x9cto be\xe2\x80\x9d architectures,\n\n       \xe2\x80\xa2   control which ensures that a portfolio and individual projects in the\n           portfolio are acquired in accordance with cost, schedule, performance,\n           and risk baselines and are within the scope of the currently approved\n           version of the GIG architecture, and\n\n       \xe2\x80\xa2   evaluation that routinely and systematically assesses and measures\n           actual contributions of the portfolio as well as supports adjustments to\n           the mix of portfolio projects as necessary.\n\nThe guidance also sets policy that integrated architectures require mission area\ndomains and DoD Component perspectives to better understand the organization\nand the capability gaps between the current and future environments. A mission\narea is a defined area of responsibility whose functions and processes contribute\nto accomplishment of the mission. In March 2004, the Deputy DoD Chief\nInformation Officer testified that DoD uses the following three mission areas for\nportfolio management: war fighter, business, and enterprise information\nenvironment. Domains within mission areas are a common collection of related,\ndependent information capabilities. An integrated architecture consists of\nmultiple views that facilitate integration and promote interoperability and\ncompatibility among related architectures.\n\nThe Deputy Secretary\xe2\x80\x99s March 22, 2004, memo states that integrated architectures\nmust be developed to assess the process improvement opportunities within and\nacross all levels, determine interoperability and capacity requirements, promote\nstandards, identify and implement information assurance requirements, formulate\nand target investments to improve data and information management, and identify\nthe required capabilities of the technical infrastructure.\n\nTo implement his policy, the Deputy Secretary assigned the following\nresponsibilities to the DoD Chief Information Officer:\n\n           \xe2\x80\xa2   Ensure that business and war fighting integrated architectures\n               comply with the GIG.\n\n           \xe2\x80\xa2   Establish a process for maximizing value and assessing and\n               managing IT investment risk.\n\n\n\n\n                                      9\n\x0c               \xe2\x80\xa2   Coordinate with the Principal Staff Assistants and the Chairman of\n                   the Joint Chiefs of Staff to provide a core set of uniformly applied\n                   criteria for portfolio management and selection.\n\n               \xe2\x80\xa2   Institutionalize the policy within 180 days to become part of the\n                   DoD Directive system. DoD Directives provide information to\n                   DoD Components on initiating, governing, or regulating actions.\n\n    The policy also assigns responsibility to the DoD Principal Staff Assistants to\n    establish business domains in coordination with the DoD Chief Information\n    Officer and a repeatable portfolio management process that includes a governance\n    structure.\n\n    As of December 2004, the policy has not been institutionalized. The Deputy\n    Secretary\xe2\x80\x99s memo began a process within DoD to rethink how IT investments\n    should be acquired and managed more consistently with legislative requirements,\n    to include the Paperwork Reduction Act of 1995, and subsequent OMB guidance.\n    The Deputy Secretary\xe2\x80\x99s memo stated that IT should be managed as portfolios, and\n    the portfolio management process should be established and include certain core\n    activities. The memorandum initiated a significant shift within the DoD on how it\n    views and manages IT systems. DoD must now institutionalize the March 2004\n    policy in a DoD Directive that mandates change in the way DoD views and\n    manages IT investments.\n\n\nRedefining the Management of IT Systems\n    MID. A MID document is designed to institutionalize management reform\n    decisions. A draft MID pertaining to IT portfolio governance in the spring of\n    2004 indicated that IT investments were defined and managed using an\n    individual, platform, or system approach rather than a mission approach. These\n    approaches allowed duplicative investments in systems to deliver the same or\n    similar capabilities.\n    The draft MID instituted the concept of portfolio management and changed the\n    management approach to IT. The MID established a governing authority to create\n    and enforce policies to integrate the three DoD mission areas. The MID provides\n    a framework that will allow mission area officials to manage IT investments as\n    portfolios, implement DoD guidance, and finance activities within their areas.\n    The mission area senior officials will define domains within their mission area,\n    assign IT programs to a domain, and establish a governance process. The domain\n    owners manage portfolios of information capabilities and services. The domain\n    owners justify new capabilities; identify requirements for new programs; review,\n    assess, and approve the DoD Components\xe2\x80\x99 funding for IT programs; review\n    programs for performance against capability requirements and schedules;\n    maintain an inventory of systems in the domain; and develop and maintain a GIG-\n    compliant domain architecture. A key point is that the MID requires the Principal\n    Staff Assistants for the mission areas to finance activities of the mission areas and\n    the DoD Chief Information Officer to issue DoD guidance for portfolio\n    management.\n\n\n                                         10\n\x0c    DoD needs to enact a MID or comparable DoD Directive to implement\n    congressional intent with regard to IT management, as expressed in the National\n    Defense Authorization Act of FY 2005, to provide a consistent portfolio\n    management process for all DoD mission areas, including domain review and\n    approval of Component funding for all IT investments. The new guidance would\n    significantly reduce the risk of Component stove-piping of IT systems and would\n    fund and field only those IT investments needed to fulfill the DoD mission that is\n    integrated into the overarching architecture.\n\n\nConclusion\n    An asset inventory is the foundation for all portfolio management activities.\n    Without a complete inventory of information systems, DoD cannot respond\n    accurately to inquiries from Congress and OMB on the status of information\n    systems, efficiently plan for future enhancements or replacement systems, prevent\n    duplication of systems, report accurately on DoD expenditure for IT, and\n    implement a system management process that is consistent with the EA. DoD\n    assembled different databases for different purposes and used different definitions\n    for an information system. The DITPR database is a positive step; however,\n    additional efforts are needed. Before an inventory can be developed, DoD must\n    develop a definition for an information system and use it consistently. Next, DoD\n    must select a platform to host the inventory; establish procedures to address\n    control of and input to the database; and establish a mechanism to oversee the\n    effort, verify the input, and ensure that all information systems are entered.\n\n    The requirement for an inventory has existed for a long time; however, DoD has\n    not established a complete inventory of its information systems or consistently\n    defined an information system. Until these tasks are accomplished, DoD must\n    report its lack of a major information system inventory in its annual reporting to\n    OMB and Congress. Finally, restructuring IT management within DoD will begin\n    a management process for information systems that aligns the DoD EA with the\n    management structure for information systems that OMB and Congress\n    envisioned.\n\n    The Deputy Secretary\xe2\x80\x99s memo began a process within DoD that rethought how IT\n    investments should be acquired and managed more consistently with legislative\n    requirements such as the Paperwork Reduction Act of 1995 and subsequent OMB\n    requirements. DoD must institutionalize the policy in the March 22, 2004, memo\n    in a DoD Directive to mandate change in the way DoD views and manages IT\n    investments. Directions in the draft MID and congressional intent pertaining to\n    IT management in the National Defense Authorization Act for FY 2005 must also\n    be implemented as a further step in redefining how DoD manages and funds its IT\n    investments as portfolios.\n\n\n\n\n                                        11\n\x0cRecommendations\n    1. We recommend that the Assistant Secretary of Defense for Networks and\n    Information Integration:\n\n           a.   Develop and staff a DoD Directive to:\n\n                   (1) Establish a definition for an information system that applies to\n    all mission areas;\n\n                  (2) Require use of the definition to develop and maintain an\n    enterprisewide inventory of information systems; and\n\n                (3) Institutionalize the policy contained in the Deputy Secretary of\n    Defense memorandum of March 22, 2004, on information technology portfolio\n    management.\n\n           b. Document in the DoD Federal Managers Financial Integrity Act and\n    Federal Information Security Management Act Reports that DoD does not have\n    an accurate or complete inventory of major information systems.\n\n    2. We recommend that the Under Secretary of Defense (Comptroller)/Chief\n    Financial Officer forward the draft Management Initiative Decision on\n    governance and management of information technology portfolios to the Deputy\n    Secretary of Defense for decision.\n\n\nManagement Comments Required\n    The Under Secretary of Defense (Comptroller)/Chief Financial Officer and the\n    Assistant Secretary of Defense for Networks and Information Integration/Chief\n    Information Officer did not comment on a draft of this report. We request that the\n    Under Secretary and the Assistant Secretary provide comments on the final\n    report.\n\n\n\n\n                                        12\n\x0cAppendix A. Scope and Methodology\n    We reviewed the Clinger-Cohen Act of 1996 and other legislation on resource\n    management. We also reviewed the FISMA sections on information system\n    security and inventory requirements, OMB guidance on resource management,\n    the FMFIA, DoD documentation describing four DoD information system\n    databases, and GAO and IG DoD audit reports on databases. Further, we\n    reviewed documentation and guidance on IT investment portfolio management\n    and a proposal to restructure the DoD management of IT investments.\n\n    We used pertinent guidance to assess DoD resource management practices,\n    specifically the development and maintenance of an inventory of major\n    information systems. We also considered proposals to modify the overall\n    management of DoD IT investments and assessed DoD compliance on FMFIA\n    reporting. We reviewed data from May 1995 through November 2004.\n\n    We performed this audit from April through December 2004 in accordance with\n    generally accepted government auditing standards.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    arrive at the conclusions in this audit report.\n\n    Use of Technical Assistance. We did not use technical assistance to perform this\n    audit.\n\n    Government Accountability Office High-Risk Area. The GAO has identified\n    several high-risk areas throughout the Federal Government. This report covers\n    the Protecting Information Systems Supporting the Federal Government and the\n    Nation\xe2\x80\x99s Critical Infrastructures area. In addition, GAO also identified several\n    high-risk areas in DoD. This report covers the Defense Systems Modernization\n    high-risk area.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of management controls that provides reasonable assurance that programs\n    are operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of the Review of the Management Control Program. We did not\n    announce a review of the management control program as an audit objective\n    because DoD recognized the management of IT and information assurance as a\n    systemic weakness in the FY 2003 FMFIA report. Accordingly, we did not\n    review management\xe2\x80\x99s self-evaluation. However, we reviewed DoD compliance\n    with the FISMA of 2002 requirement to maintain an agency inventory of major\n    information systems to support resource management. We also reviewed the DoD\n    FY 2003 FMFIA report.\n\n\n                                        13\n\x0cAdequacy of Management Controls. We identified a material management\ncontrol weakness for DoD as defined by DoD Instruction 5010.40. DoD\nmanagement controls for IT management and information assurance were not\nadequate to ensure that DoD developed and maintained an enterprisewide\ninventory of major information systems in accordance with the FISMA of 2002.\nRecommendation 1., if implemented, will improve DoD compliance with the\nFISMA inventory requirement. A copy of the report will be provided to the\nsenior official responsible for management controls in the Office of the Assistant\nSecretary of Defense for Networks and Information Integration.\n\n\n\n\n                                    14\n\x0cAppendix B. Prior Coverage\n      During the last five years, GAO and the IG DoD have issued 14 reports related to\n      DoD management of IT resources. Unrestricted GAO reports can be accessed\n      over the internet at http://www.gao.gov. Unrestricted IG DoD reports can be\n      accessed at http://www.dodig.osd.mil/audit/reports.\n\nGAO\n      GAO Report No. GAO-04-907T, \xe2\x80\x9cDepartment of Defense: Long-standing\n      Problems Continue to Impede Financial and Business Management\n      Transformation,\xe2\x80\x9d July 7, 2004\n\n      GAO Report No. GAO-04-376, \xe2\x80\x9cInformation Security: Agencies Need to\n      Implement Consistent Processes In Authorizing Systems for Operation,\xe2\x80\x9d June 28,\n      2004\n\n      GAO Report No. GAO-04-615, \xe2\x80\x9cDoD Business Systems Modernization: Billions\n      Continue to Be Invested with Inadequate Management Oversight and\n      Accountability,\xe2\x80\x9d May 27, 2004\n\n      GAO Report No. GAO-04-731R, \xe2\x80\x9cDoD Business Systems Modernization:\n      Limited Progress in Development of Business Enterprise Architecture and\n      Oversight of Information Technology Investments,\xe2\x80\x9d May 17, 2004\n\n      GAO Report No. GAO-04-551T, \xe2\x80\x9cDepartment of Defense: Further Actions\n      Needed to Establish and Implement a Framework for Successful Financial and\n      Business Management Transformation,\xe2\x80\x9d March 23, 2004\n\n      GAO Report No. GAO-04-115, \xe2\x80\x9cInformation Technology: Improvements Needed\n      in the Reliability of Defense Budget Submissions,\xe2\x80\x9d December 19, 2003\n\nIG DoD\n      IG DoD Report No. D-2004-081, \xe2\x80\x9cReporting of DoD Capital Investments for\n      Information Technology,\xe2\x80\x9d May 7, 2004\n\n      IG DoD Report No. D-2003-117, \xe2\x80\x9cSystems Inventory to Support the Business\n      Enterprise Architecture,\xe2\x80\x9d July 10, 2003\n\n      IG DoD Report No. D-2003-022, \xe2\x80\x9cFY 2002 Independent Assessment of the DoD\n      Subset of Information Technology Systems for Government Information Security\n      Reform Reported for FY 2001,\xe2\x80\x9d November 14, 2002\n\n      IG DoD Report No. D-2003-008, \xe2\x80\x9cImplementation of the Government\n      Information Security Reform by the Defense Finance and Accounting Service for\n      the Defense Integrated Financial System,\xe2\x80\x9d October 7, 2002\n\n\n\n                                         15\n\x0cIG DoD Report No. D-2001-182, \xe2\x80\x9cInformation Assurance Challenges-A\nSummary of Results Reported April 1, 2000 Through August 22, 2001,\xe2\x80\x9d\nSeptember 19, 2001\n\nIG DoD Report No. D-2001-175, \xe2\x80\x9cApplication of Year 2000 Lessons Learned,\xe2\x80\x9d\nAugust 22, 2001\n\nIG DoD Report No. D-2001-096, \xe2\x80\x9cManagement of Information Technology\nEquipment, Office of the Secretary of Defense,\xe2\x80\x9d April 9, 2001\n\nIG DoD Report No. D-2000-162, \xe2\x80\x9cSummary of Audits of Acquisition of\nInformation Technology,\xe2\x80\x9d July 13, 2000\n\n\n\n\n                                 16\n\x0cAppendix C. Legislation for Management of\n            Federal Information Resources\n   FISMA. Public Law 107-347, FISMA, requires agencies to develop and\n   maintain an inventory of major information systems operated by or under the\n   control of the agency and to use the inventory to support resource management\n   activities. FISMA requires the inventory to support the preparation and\n   maintenance of information resources under section 3506(b)(4), title 44, United\n   States Code. The Paperwork Reduction Act of 1995 (Public Law 104-13)\n   amended chapter 35, title 44, United States Code to include section 3506(b)(4)\n   requiring an inventory of agency information resources.\n\n   FISMA also requires the major system inventory to support IT planning,\n   budgeting, acquisition, and management under section 3506(h), title 44, United\n   States Code, subtitle III of title 40, United States Code, and related laws and\n   guidance.\n\n          \xe2\x80\xa2   The Paperwork Reduction Act of 1995 (Public Law 104-13) amended\n              chapter 35, title 44, United States Code to include section 3506(h)\n              requiring agencies to maximize the value and assess and manage risks\n              of major information system initiatives by developing a process to\n              select, control, and evaluate results of such initiatives.\n\n          \xe2\x80\xa2   The Clinger-Cohen Act of 1996 (Public Law 106-104), section 5122\n              supplemented section 3506(h), title 44, United States Code by\n              requiring that agencies use a capital planning and investment control\n              process to provide for selection, management, and evaluation of IT\n              investments. Public Law 107-217 recodified the Clinger-Cohen\n              requirement as section 11312 under subtitle III, title 40, United States\n              Code.\n\n   FISMA requires the major system inventory to support monitoring, testing, and\n   evaluation of information security controls under subchapter II, title 44, United\n   States Code. The National Defense Authorization Act for FY 2001, subtitle G,\n   \xe2\x80\x9cGovernment Information Security Reform,\xe2\x80\x9d amended chapter 35, title 44, United\n   States Code by inserting subchapter II, which requires agencies to establish, test,\n   and evaluate information security controls. The Government Information\n   Security Reform requirements have been replaced by the requirements of FISMA.\n\n   FISMA requires the major system inventory to support preparation of the index of\n   major information systems required under section 552(g), title 5, United States\n   Code. The Electronic Freedom of Information Act Amendments of 1996\n   amended section 552 of title 5 United States Code to add subsection (g) that\n   required an index of agency major information systems.\n\n\n\n\n                                       17\n\x0cAppendix D. DoD Information Systems\xe2\x80\x99\n            Databases\n   DoD developed four databases: the ITMA, the IT Registry, the BMMP, and the\n   DITPR. Each database uses different criteria for collecting data about\n   information systems and collects the data to serve different purposes.\n\n   ITMA. According to the DoD Financial Management Regulation, the ITMA is a\n   database application to plan, coordinate, edit, publish, and disseminate IT budget\n   information for Congress and OMB. DoD Components are required to register\n   their IT resources as initiatives in ITMA. Initiatives can be systems, families of\n   systems, programs, projects, organizations, or activities.\n\n   IT Registry. The FY 2001 National Defense Authorization Act requires DoD to\n   maintain an inventory of mission-critical and mission-essential information\n   systems. According to DoD IT Registry guidance, the DoD IT Registry is the\n   enterprisewide systems inventory used to fulfill the Act\xe2\x80\x99s requirements and to\n   prepare reports in response to FISMA, OMB and Congress.\n\n   BMMP. The DoD BMMP is an effort to transform and modernize DoD business\n   and financial processes and systems. The program includes development of a\n   business EA as a blueprint for DoD business transformation. Business processes\n   include financial, logistical, personnel, and procurement processes. The FY 2003\n   National Defense Authorization Act (Public Law 107-314) required DoD to\n   develop an inventory of DoD systems to support the business EA that was based\n   on a system definition to be developed by the Under Secretary of Defense\n   (Comptroller). DoD responded by preparing an information system inventory to\n   support the BMMP.\n\n   DITPR. In July 2004, DoD issued guidance on a new database, entitled the\n   DITPR, which will support DoD portfolio management by collecting data on\n   DoD information systems in all mission areas and domains. The guidance\n   requires submission of information on selected business systems, with data on\n   remaining DoD information systems to be collected later. In October 2004, DoD\n   issued additional guidance requiring data to be submitted on remaining business\n   systems or families of business systems.\n\n\n\n\n                                       18\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\n   Director, Business Management Modernization Program\nUnder Secretary of Defense for Personnel and Readiness\nUnder Secretary of Defense for Intelligence\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\n\nOther Defense Organization\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          19\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        20\n\x0cTeam Members\nThe Office of the Deputy Inspector General for Auditing of the Department of\nDefense, Acquisition and Technology Management prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nThomas Bartoszek\nBarry Gay\nJohn Huddleston\nJames Mitchell\nAlejandra Rodriguez\nVicky Sain\nChristopher Scrabis\nKathryn Truex\n\x0c'